Taxonomies used in MISP taxonomy system and can be used by other information sharing tool. https://www.circl.lu/doc/misp-taxonomies/
 
 
Go to file
Alexandre Dulaunoy 70be9e3570 Complete ENISA Threat Taxonomy added 2016-06-10 20:11:48 +02:00
admiralty-scale Added a version number in the JSON - Fix #2 2015-11-22 07:56:48 +01:00
adversary action added to the adversary name space 2016-02-16 21:19:19 +01:00
circl CIRCL Taxonomy - Schemes of Classification in Incident Response and 2015-11-22 09:52:57 +01:00
de-vs Update README.md 2016-02-09 11:27:10 +01:00
dhs-ciip-sectors Typo fixed 2016-03-03 23:04:11 +01:00
dni-ism Missing atomicEnergyMarkings added 2015-11-28 18:11:09 +01:00
ecsirt added Incident Classification by the ecsirt.net project WP4 clearinghouse policy and updated by IntelMQ. 2015-11-25 15:32:12 +01:00
enisa Complete ENISA Threat Taxonomy added 2016-06-10 20:11:48 +02:00
eu-critical-sectors Include #16 2016-03-03 15:47:47 +01:00
euci Update machinetag.json 2016-03-23 15:10:48 +01:00
europol-events Add Europol types of events taxonomy 2016-06-03 15:33:56 +02:00
europol-incident Add Europol types of events taxonomy 2016-06-03 15:33:56 +02:00
first_csirt_case_classification tags 2016-02-04 15:59:30 +01:00
fr-classification FR Classification - pretty print 2016-05-06 21:01:39 +02:00
malware first shot of malware classification 2016-02-04 16:48:59 +01:00
misp Initial MISP internal taxonomy to infer with MISP behaviors 2016-05-17 18:27:19 +02:00
nato NATO classification markings. (first DRAFT) 2015-11-29 10:23:14 +01:00
osint Certainty scale added 2016-01-21 22:56:22 +01:00
tlp Colour added to the TLP taxonomy (fix #21) 2016-05-31 16:39:17 +02:00
tools Merge branch 'master' of github.com:MISP/misp-taxonomies 2016-06-03 21:32:48 +02:00
veris Added missing version 2015-11-24 10:57:19 +01:00
.travis.yml Add travis file 2016-04-11 12:38:28 +02:00
README.md Add Europol types of events taxonomy 2016-06-03 15:33:56 +02:00

README.md

MISP Taxonomies

Build Status

Taxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.

Overview of the MISP taxonomies

The following taxonomies can be used in MISP (as local or distributed tags) or in other tools willing to share common taxonomies among security information sharing tools.

The following taxonomies are described:

Admiralty Scale

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

Adversary

An overview and description of the adversary infrastructure.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place.

DE German (DE) Government classification markings (VS)

Taxonomy for the handling of protectively marked information in MISP with German (DE) Government classification markings (VS).

DHS CIIP Sectors

DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.

eCSIRT and IntelMQ incident classification

eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

EU Critical Sectors

Market operators and public administrations that must comply to some notifications requirements under EU NIS directive.

EUCI classification

EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described.

FIRST CSIRT Case classification

FIRST CSIRT Case Classification.

Information Security Marking Metadata DNI (Director of National Intelligence - US)

ISM (Information Security Marking Metadata) V13 as described by DNI.gov.

Malware classification

Malware classification based on a SANS whitepaper about malware.

NATO Classification Marking

Marking of Classified and Unclassified materials as described by the North Atlantic Treaty Organization, NATO.

TLP - Traffic Light Protocol

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Vocabulary for Event Recording and Incident Sharing VERIS

Vocabulary for Event Recording and Incident Sharing is a format created by the VERIS community.

How to contribute your taxonomy?

It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like Admiralty Scale), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like MISP.

For more information, "Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP" presentation given to the last MISP training in Luxembourg.

How to add your private taxonomy to MISP

$ cd /var/www/MISP/app/files/taxonomies/
$ mkdir privatetaxonomy
$ cd privatetaxonomy
$ vi machinetag.json

Create a JSON file Create a JSON file describing your taxonomy as triple tags.

Once you are happy with your file go to MISP Web GUI taxonomies/index and update the taxonomies, the newly created taxonomy should be visible, now you need to activate the tags within your taxonomy.

MISP Taxonomies - tools

machinetag.py is a parsing tool to dump taxonomies expressed in Machine Tags (Triple Tags) and list all valid tags from a specific taxonomy.

% cd tools
% python machinetag.py
        admiralty-scale:source-reliability="a"
        admiralty-scale:source-reliability="b"
        admiralty-scale:source-reliability="c"
        admiralty-scale:source-reliability="d"
        admiralty-scale:source-reliability="e"
        admiralty-scale:source-reliability="f"
        admiralty-scale:information-credibility="1"
        admiralty-scale:information-credibility="2"
        admiralty-scale:information-credibility="3"
        admiralty-scale:information-credibility="4"
        admiralty-scale:information-credibility="5"
        admiralty-scale:information-credibility="6"
        ...